Oh yeah, it probably didn't work because I didn't have if_sid maybe the first time I was doing this.
On Wednesday, December 16, 2015 at 4:07:21 PM UTC-6, Phillipa Moorea wrote: > > I didn't know how to get the rule to match the log id. I tried doing the > <id>^500$</id> for example, but it didn't work for me. > This used to be my rule when I was messing around with it: > <rule id="100210" level="6"> > <id>^400$|^403$|^500$|^501$|^600$</id> > <description>Powershell Event.</description> > </rule> > > I also have the problem in which opening PowerShell and running Get-Date > creates like 22 different alerts :(. In the logs I notice that there is a > SequenceNumber, but I'm not sure how to use that to say generate 1 alert > for opening powershell, and 1 alert for running a command. Or just 1 alert > for opening and running a single command. > > Just by opening the powershell window I get 24 events. The SequenceNumber > iterates like this: > Event Log 1 - 1 > Event Log 2 - 3 > Event Log 3 - 5 > Event Log 4 - 7 > Event Log 5 - 9 > Event Log 6 - 11 > Event Log 7 - 13 > Event Log 8 - 15 > Event Log 9 - 16 > Event Log 10 - 17 > Event Log 11 - 18 > Event Log 12 - 19 > Event Log 13 - 20 > Event Log 14 - 21 > Event Log 15 - 22 > Event Log 16 - 23 > Event Log 17 - 24 > Event Log 18 - 25 > Event Log 19 - 26 > Event Log 20 - 27 > Event Log 21 - 28 > Event Log 22 - 29 > Event Log 23 - 30 > Event Log 24 - 31 > > Then I run Get-Date and I get 24 new logs where Event Log 1-24 matches up > with SequenceNumber 32-55 > > Then I close PowerShell and get 1 new Event Log with SequenceNumber 56 > > When I open PowerShell again, the SequenceNumber repeats back to 1 > > > On Tuesday, December 8, 2015 at 4:13:03 PM UTC-6, Daniel wrote: >> >> So basically what you're doing is looking for INFO logs and then matching >> the log content and not the actual log ID? Interesting. My general rule >> workflow is this: >> If OS=WINDOWS, then if TYPE=ERROR/INFO/WARN/etc, then if EVENTID=x, then >> create alert with LEVEL=y. >> >> Types can be referenced in <ossec-dir>/rules/msauth_rules.xml, with 18101 >> being informational. Also, check out " >> http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf"; >> >> My basic powershell rule looks like the following: >> >> <!-- BEGIN "Windows PowerShell.evtx" Rules --> >> <rule id="104010" level="7"> >> <if_sid>18101</if_sid> >> <id>^400$|^403$</id> >> <Match>PowerShell</Match> >> <description>PowerShell Started/Stopped.</description> >> <info>From "Windows PowerShell.evtx"</info> >> </rule> >> <!-- END "Windows PowerShell.evtx" Rules --> >> >> >> On Wednesday, December 2, 2015 at 4:02:25 PM UTC-5, Phillipa Moorea wrote: >>> >>> Thanks for all the help from you (Santiago), from dan, some other posts >>> on here, github repository issues, a book I bought on ossec for $10, and >>> the work of the OSSEC developers that made the 2.8.3 update, and of course >>> the people in the AlienVault Labs! >>> >>> I was now able to get the alerts working. I analyzed the PowerShell >>> logs and changed my rules a bit. Here is what I changed it too: >>> >>> <group name="powershell,"> >>> <rule id="100210" level="0"> >>> <if_sid>18100,18101</if_sid> >>> <match>CommandType=Script</match> >>> <description>Powershell Script.</description> >>> </rule> >>> <rule id="100211" level="0"> >>> <if_sid>18100,18101</if_sid> >>> <match>CommandType=Cmdlet</match> >>> <description>Powershell Command.</description> >>> </rule> >>> <rule id="100212" level="0"> >>> <if_sid>18100,18101</if_sid> >>> <match>CommandType=Function</match> >>> <description>Powershell Function.</description> >>> </rule> >>> <rule id="100213" level="2"> >>> <if_sid>100210</if_sid> >>> <match>NewCommandState=Started</match> >>> <description>Powershell Script (500-Started).</description> >>> </rule> >>> <rule id="100214" level="2"> >>> <if_sid>100210</if_sid> >>> <match>NewCommandState=Stopped</match> >>> <description>Powershell Script (501-Stopped).</description> >>> </rule> >>> <rule id="100215" level="2"> >>> <if_sid>100211</if_sid> >>> <match>NewCommandState=Started</match> >>> <description>Powershell Command (500-Started).</description> >>> </rule> >>> <rule id="100216" level="2"> >>> <if_sid>100211</if_sid> >>> <match>NewCommandState=Stopped</match> >>> <description>Powershell Command (501-Stopped).</description> >>> </rule> >>> <rule id="100217" level="2"> >>> <if_sid>100212</if_sid> >>> <match>NewCommandState=Started</match> >>> <description>Powershell Function (500-Started).</description> >>> </rule> >>> ... >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
